Stephen Smalley wrote: > On Wed, 2009-02-25 at 15:50 -0500, Eric Paris wrote: > >> So the X people here at Red Hat complained the other day that they have >> to do an open, write, read, close very very often on /selinux/create. >> They'd like to cut the number of syscalls down. Even if the open and >> close are fast, they are still syscalls that still take time and still >> provide maximum limits on the operations per second they can do. (I >> think ajax said he was estimating it at 10000/sec, but I don't remember >> the math or even if it was reasonable) >> > Wouldn't it be simpler and more efficient to just start caching the > results of security_compute_create in the AVC so that > avc_compute_create() will get most answers from the cache, just like > avc_has_perm()? > Yes, this is the way to go. All of the compute_create calls made from the SELinux extension are done through the avc_compute_create() helper function in libselinux and a cache layer could be added to that function to avoid the call to security_compute_create_raw() which calls the filesystem, similar to how avc_has_perm_noaudit() works. This has been proposed in the past just not implemented yet. -- Eamon Walsh <ewalsh@xxxxxxxxxxxxx> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
